forked from linuxboot/heads
-
-
Notifications
You must be signed in to change notification settings - Fork 4
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
patches/hotp-verification-*/46.patch : readd Nitrokey/nitrokey-hotp-v…
…erification#46 so that this PR can be tested and reviewed from OEM Factory Reset/User Re-Ownership perspective (PR 43 not in which fixes hotp_verification info, needed to reuse default PINs under seal-hotp if pubkey age <1 month and if Secret app PIN/GPG Admin PIN count >=3 ) Repro: mkdir patches/hotp-verification-e9050e0c914e7a8ffef5d1c82a014e0e2bf79346 wget https://patch-diff.githubusercontent.com/raw/Nitrokey/nitrokey-hotp-verification/pull/46.patch -O patches/hotp-verification-e9050e0c914e7a8ffef5d1c82a014e0e2bf79346/46.patch sudo rm -rf build/x86/hotp-verification-e9050e0c914e7a8ffef5d1c82a014e0e2bf79346/ ./docker_repro.sh make BOARD=qemu-coreboot-whiptail-tpm2-hotp USB_TOKEN=Nitrokey3NFC PUBKEY_ASC=pubkey.asc inject_gpg run Signed-off-by: Thierry Laurion <insurgo@riseup.net>
- Loading branch information
Showing
1 changed file
with
219 additions
and
0 deletions.
There are no files selected for viewing
219 changes: 219 additions & 0 deletions
219
patches/hotp-verification-e9050e0c914e7a8ffef5d1c82a014e0e2bf79346/46.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,219 @@ | ||
From de355ed93ba50280bf377772082b76b7a2285185 Mon Sep 17 00:00:00 2001 | ||
From: =?UTF-8?q?Sosth=C3=A8ne=20Gu=C3=A9don?= <sosthene@nitrokey.com> | ||
Date: Mon, 25 Nov 2024 17:04:47 +0100 | ||
Subject: [PATCH 1/3] Add reset command for nitrokey 3 | ||
|
||
--- | ||
src/main.c | 10 ++++++++-- | ||
src/operations_ccid.c | 41 +++++++++++++++++++++++++++++++++++++++++ | ||
src/operations_ccid.h | 1 + | ||
3 files changed, 50 insertions(+), 2 deletions(-) | ||
|
||
diff --git a/src/main.c b/src/main.c | ||
index 059069e..b80b71d 100644 | ||
--- a/src/main.c | ||
+++ b/src/main.c | ||
@@ -21,6 +21,7 @@ | ||
|
||
#include "ccid.h" | ||
#include "operations.h" | ||
+#include "operations_ccid.h" | ||
#include "return_codes.h" | ||
#include "utils.h" | ||
#include "version.h" | ||
@@ -134,8 +135,13 @@ int parse_cmd_and_run(int argc, char *const *argv) { | ||
} | ||
break; | ||
case 'r': | ||
- if (argc != 3) break; | ||
- res = regenerate_AES_key(&dev, argv[2]); | ||
+ if (strncmp(argv[1], "reset", 15) == 0) { | ||
+ if (argc != 2) break; | ||
+ res = nk3_reset(&dev); | ||
+ } else if (strncmp(argv[1], "regenerate", 15) == 0) { | ||
+ if (argc != 3) break; | ||
+ res = regenerate_AES_key(&dev, argv[2]); | ||
+ } | ||
break; | ||
default: | ||
break; | ||
diff --git a/src/operations_ccid.c b/src/operations_ccid.c | ||
index eb46124..574155d 100644 | ||
--- a/src/operations_ccid.c | ||
+++ b/src/operations_ccid.c | ||
@@ -32,6 +32,47 @@ | ||
#include <string.h> | ||
|
||
|
||
+ | ||
+int nk3_reset(struct Device *dev) { | ||
+ libusb_device *usb_dev; | ||
+ struct libusb_device_descriptor usb_desc; | ||
+ usb_dev = libusb_get_device(dev->mp_devhandle_ccid); | ||
+ | ||
+ int r = libusb_get_device_descriptor(usb_dev, &usb_desc); | ||
+ | ||
+ if (r < 0) { | ||
+ return r; | ||
+ } | ||
+ | ||
+ | ||
+ if (usb_desc.idVendor != NITROKEY_USB_VID || usb_desc.idProduct != NITROKEY_3_USB_PID) { | ||
+ return 0; | ||
+ } | ||
+ | ||
+ | ||
+ uint8_t buf[10]; | ||
+ // encode | ||
+ uint32_t icc_actual_length = iso7816_compose(buf, sizeof buf, Ins_Reset, 0xDE, 0xAD, 0, 0, NULL, 0); | ||
+ | ||
+ // encode ccid wrapper | ||
+ icc_actual_length = icc_compose(dev->ccid_buffer_out, sizeof dev->ccid_buffer_out, | ||
+ 0x6F, icc_actual_length, | ||
+ 0, 0, 0, buf); | ||
+ // send | ||
+ IccResult iccResult; | ||
+ r = ccid_process_single(dev->mp_devhandle_ccid, dev->ccid_buffer_in, sizeof dev->ccid_buffer_in, | ||
+ dev->ccid_buffer_out, icc_actual_length, &iccResult); | ||
+ if (r != 0) { | ||
+ return r; | ||
+ } | ||
+ // check status code | ||
+ if (iccResult.data_status_code != 0x9000) { | ||
+ return 1; | ||
+ } | ||
+ | ||
+ return RET_NO_ERROR; | ||
+} | ||
+ | ||
int set_pin_ccid(struct Device *dev, const char *admin_PIN) { | ||
TLV tlvs[] = { | ||
{ | ||
diff --git a/src/operations_ccid.h b/src/operations_ccid.h | ||
index b26b3c7..ec0070c 100644 | ||
--- a/src/operations_ccid.h | ||
+++ b/src/operations_ccid.h | ||
@@ -11,6 +11,7 @@ int authenticate_or_set_ccid(struct Device *dev, const char *admin_PIN); | ||
int set_secret_on_device_ccid(struct Device *dev, const char *admin_PIN, const char *OTP_secret_base32, const uint64_t hotp_counter); | ||
int verify_code_ccid(struct Device *dev, const uint32_t code_to_verify); | ||
int status_ccid(libusb_device_handle *handle, int *attempt_counter, uint16_t *firmware_version, uint32_t *serial_number); | ||
+int nk3_reset(struct Device *dev); | ||
|
||
|
||
#endif//NITROKEY_HOTP_VERIFICATION_OPERATIONS_CCID_H | ||
|
||
From 8425e8c622138aef9ab207119e14f7cbedd40175 Mon Sep 17 00:00:00 2001 | ||
From: =?UTF-8?q?Sosth=C3=A8ne=20Gu=C3=A9don?= <sosthene@nitrokey.com> | ||
Date: Mon, 2 Dec 2024 10:29:59 +0100 | ||
Subject: [PATCH 2/3] Add optional new pin when resetting | ||
|
||
--- | ||
src/main.c | 9 +++++---- | ||
src/operations_ccid.c | 6 +++++- | ||
src/operations_ccid.h | 5 ++++- | ||
3 files changed, 14 insertions(+), 6 deletions(-) | ||
|
||
diff --git a/src/main.c b/src/main.c | ||
index b80b71d..3f4a1cc 100644 | ||
--- a/src/main.c | ||
+++ b/src/main.c | ||
@@ -38,9 +38,10 @@ void print_help(char *app_name) { | ||
"\t%s info\n" | ||
"\t%s version\n" | ||
"\t%s check <HOTP CODE>\n" | ||
- "\t%s regenerate <ADMIN PIN>\n" | ||
+ "\t%s reset [ADMIN PIN]\n" | ||
+ "\t%s regenerate\n" | ||
"\t%s set <BASE32 HOTP SECRET> <ADMIN PIN> [COUNTER]\n", | ||
- app_name, app_name, app_name, app_name, app_name, app_name); | ||
+ app_name, app_name, app_name, app_name, app_name, app_name, app_name); | ||
} | ||
|
||
|
||
@@ -136,8 +137,8 @@ int parse_cmd_and_run(int argc, char *const *argv) { | ||
break; | ||
case 'r': | ||
if (strncmp(argv[1], "reset", 15) == 0) { | ||
- if (argc != 2) break; | ||
- res = nk3_reset(&dev); | ||
+ if (argc != 2 && argc != 3) break; | ||
+ res = nk3_reset(&dev, argc == 3 ? argv[2]: NULL); | ||
} else if (strncmp(argv[1], "regenerate", 15) == 0) { | ||
if (argc != 3) break; | ||
res = regenerate_AES_key(&dev, argv[2]); | ||
diff --git a/src/operations_ccid.c b/src/operations_ccid.c | ||
index 574155d..07834ce 100644 | ||
--- a/src/operations_ccid.c | ||
+++ b/src/operations_ccid.c | ||
@@ -33,7 +33,7 @@ | ||
|
||
|
||
|
||
-int nk3_reset(struct Device *dev) { | ||
+int nk3_reset(struct Device *dev, const char * new_pin) { | ||
libusb_device *usb_dev; | ||
struct libusb_device_descriptor usb_desc; | ||
usb_dev = libusb_get_device(dev->mp_devhandle_ccid); | ||
@@ -70,6 +70,10 @@ int nk3_reset(struct Device *dev) { | ||
return 1; | ||
} | ||
|
||
+ if (new_pin != NULL) { | ||
+ set_pin_ccid(dev, new_pin); | ||
+ } | ||
+ | ||
return RET_NO_ERROR; | ||
} | ||
|
||
diff --git a/src/operations_ccid.h b/src/operations_ccid.h | ||
index ec0070c..61cad72 100644 | ||
--- a/src/operations_ccid.h | ||
+++ b/src/operations_ccid.h | ||
@@ -11,7 +11,10 @@ int authenticate_or_set_ccid(struct Device *dev, const char *admin_PIN); | ||
int set_secret_on_device_ccid(struct Device *dev, const char *admin_PIN, const char *OTP_secret_base32, const uint64_t hotp_counter); | ||
int verify_code_ccid(struct Device *dev, const uint32_t code_to_verify); | ||
int status_ccid(libusb_device_handle *handle, int *attempt_counter, uint16_t *firmware_version, uint32_t *serial_number); | ||
-int nk3_reset(struct Device *dev); | ||
+// new_pin can be `null` | ||
+// | ||
+// If it is, no new pin will be set | ||
+int nk3_reset(struct Device *dev, const char * new_pin); | ||
|
||
|
||
#endif//NITROKEY_HOTP_VERIFICATION_OPERATIONS_CCID_H | ||
|
||
From 596f701985682adf6bfab06c78cbe132cbcb2aae Mon Sep 17 00:00:00 2001 | ||
From: =?UTF-8?q?Sosth=C3=A8ne=20Gu=C3=A9don?= <sosthene@nitrokey.com> | ||
Date: Tue, 3 Dec 2024 10:48:27 +0100 | ||
Subject: [PATCH 3/3] Fix null pointer bug on non nk3 | ||
|
||
--- | ||
src/operations_ccid.c | 8 +++++++- | ||
1 file changed, 7 insertions(+), 1 deletion(-) | ||
|
||
diff --git a/src/operations_ccid.c b/src/operations_ccid.c | ||
index 07834ce..538d434 100644 | ||
--- a/src/operations_ccid.c | ||
+++ b/src/operations_ccid.c | ||
@@ -36,6 +36,12 @@ | ||
int nk3_reset(struct Device *dev, const char * new_pin) { | ||
libusb_device *usb_dev; | ||
struct libusb_device_descriptor usb_desc; | ||
+ | ||
+ if (!dev->mp_devhandle_ccid) { | ||
+ // Not an NK3 | ||
+ return RET_NO_ERROR; | ||
+ } | ||
+ | ||
usb_dev = libusb_get_device(dev->mp_devhandle_ccid); | ||
|
||
int r = libusb_get_device_descriptor(usb_dev, &usb_desc); | ||
@@ -46,7 +52,7 @@ int nk3_reset(struct Device *dev, const char * new_pin) { | ||
|
||
|
||
if (usb_desc.idVendor != NITROKEY_USB_VID || usb_desc.idProduct != NITROKEY_3_USB_PID) { | ||
- return 0; | ||
+ return RET_NO_ERROR; | ||
} | ||
|
||
|